1. Field of the Invention
The present invention relates to a cryptographic module management apparatus, method, and program for selecting and delivering a cryptographic module in accordance with cryptographic module evaluation information in response to a cryptographic module delivery request from a client.
2. Description of the Related Art
When confidential information is to be handled, cryptographic processing has generally been performed conventionally. Such cryptographic processing involves use of cryptographic modules. A cryptographic module refers to a program required to perform cryptographic processing, including programs to perform various components of the cryptographic processing (e.g., hash function calculation, pseudo-random number generation processing, etc.). That is, the cryptographic module may come in a single program or the combination of a plurality of programs. In the following description, the cryptographic module can be realized in either of these two cases.
Note that a specific one of various cryptographic modules may be used redundantly in a plurality of cryptographic processing items in some cases. For example, a cryptographic module such as a hash function (SHA-1 etc.) may be used in digital signature generation, authentication code generation, and stand-alone type hash function computation. For use in digital signature generation, refer to an RSASSA described in “The exact security of digital signatures—How to sign with RSA and Rabin” by M. Bellare and P. Rogaway, In Advances in Cryptology—Eurocrypt '96, pp. 399-416, Springer-Verlag, 1996. For use in authentication code generation, see HMAC described in “Keying hash functions for message authentication” by M. Bellare, R. Canetti, and H. Krawczyk, In Advances in Cryptology—CRYPTO'96, pp. 1-15, Springer-Verlag, 1996.
The following will discuss the case of, for example, the management and utilization of cryptographic modules by a mobile terminal, etc., which does not have a large memory capacity. In this case, in order to save on usage of the memory in the mobile terminal, it is preferable to design cryptographic modules in such a manner that each of the modules may be provided for each of cryptographic processing components and the same cryptographic module may be used by the cryptographic processing items commonly.
However, in order to deliver a cryptographic module for each component in response to a selection request from the terminal device, it is necessary to select such a combination of the cryptographic modules as to meet the selection request. Further, to perform an evaluation in a case where the cryptographic modules have been combined, loads on a process from the reception of a selection request to the completion of the selection will be increased, which is a problem.